-----BEGIN PGP SIGNED MESSAGE-----
CA-90:12
Last Revised: September 17,1997
Attached copyright statement
CERT Advisory
December 20, 1990
SunOS TIOCCONS Vulnerability
- -------------------------------------------------------------------------
The following information was sent to us from Sun Microsystems. It
contains availability information regarding a fix for a vulnerability
in SunOS 4.1 and SunOS 4.1.1. (A version for SunOS 4.0.3 is currently
in testing and should be available shortly.) For more information,
please contact Sun Microsystems at 1-800-USA-4SUN.
- -------------------------------------------------------------------------
SUN MICROSYSTEMS SECURITY BULLETIN:
This information is only to be used for the purpose of alerting
customers to problems. Any other use or re-broadcast of this
information without the express written consent of Sun Microsystems
shall be prohibited.
Sun expressly disclaims all liability for any misuse of this information
by any third party.
- -------------------------------------------------------------------------
These patches are available through your local Sun answer centers
worldwide. As well as through anonymous ftp to ftp.uu.net in the
~ftp/sun-dist directory.
Please refer to the BugID and PatchID when requesting patches from Sun
answer centers.
NO README information will be posted in the patch on UUNET. Please refer
the the information below for patch installation instructions.
- -------------------------------------------------------------------------
Sun Bug ID : 1008324
Synopsis : TIOCCONS redirection of console input/output is a security
violation.
Sun Patch ID : for SunOS 4.1, SunOS 4.1_PSR_A 100187-01
Sun Patch ID : for SunOS 4.1.1 100188-01
Available for: Sun3, Sun3x, Sun4 Sun4c
SunOS 4.1, SunOS 4.1_PSR_A, SunOS 4.1.1
Checksum of compressed tarfile on ftp.uu.net:~ftp/sun-dist
sum of SunOS 4.1 tarfile 100187-01.tar.Z : 14138 142
sum of SunOS 4.1.1 tarfile 100188-01.tar.Z: 24122 111
- --------------------------------------------------------------------------
README information follows:
Patch-ID# 100188-01
Keywords: TIOCCONS
Synopsis: SunOS 4.1.1: TIOCCONS redirection of console is a security violation.
Date: 17/Dec/90
SunOS release: 4.1.1
Unbundled Product:
Unbundled Release:
Topic:
BugId's fixed with this patch: 1008324
Architectures for which this patch is available: sun3 sun3x sun4 sun4c
Patches which may conflict with this patch:
Obsoleted by: Next major release of SunOS
Problem Description: TIOCCONS can be used to re-direct console output/input
away from "console"
Patch contains kernel object modules for:
/sys/sun?/OBJ/cons.o
/sys/sun?/OBJ/zs_async.o
/sys/sun?/OBJ/mcp_async.o
/sys/sun?/OBJ/mti.o
Where sun? is one of sun4, sun4c, sun3, sun3x, sun4/490-4.1_PSR_A
NOTE: The sun4c does not use mti.o nor mcp_async.o since this architecture
does not have VME slots and therefore cannot use the ALM-2 Asynchronous Line
Multiplexor or Systech MTI-800/1600. So those modules are not needed.
The fix consists of adding permission checking to setcons, the routine
that does the work of console redirection, and changing its callers to
supply additional information required for the check and to see whether
or not the check succeeded. Setcons now uses uid and gid information
supplied to it as new arguments to perform a VOP_ACCESS call for VREAD
permission on the console. If the caller doesn't have permission to
read from the console, setcons rejects the redirection attempt.
INSTALL:
AS ROOT:
save aside the object modules from the FCS tapes as a precaution:
# mv /sys/sun?/OBJ/cons.o /sys/sun?/OBJ/cons.o.orig
# mv /sys/sun?/OBJ/tty_pty.o /sys/sun?/OBJ/tty_pty.o.orig
# mv /sys/sun?/OBJ/zs_async.o /sys/sun?/OBJ/zs_async.o.orig
# mv /sys/sun?/OBJ/mcp_async.o /sys/sun?/OBJ/mcp_async.o.orig
# mv /sys/sun?/OBJ/mti.o /sys/sun?/OBJ/mti.o.orig
copy the new ".o" files to the OBJ directory:
# cp sun?/*.o /sys/sun?/OBJ/
build and install a new kernel:
rerun /etc/config and do a "make" for the new kernel
Please refer to the System and Network Administration Manual for details
on how to configure and install a custom kernel.
- -------------------------------------------------------------------------
Patch-ID# 100187-01
Keywords: TIOCCONS
Synopsis: SunOS 4.1 4.1_PSR_A: TIOCCONS redirection of console is a security
violation.
Date: 17/Dec/90
SunOS release: 4.1 4.1_PSR_A
Unbundled Product:
Unbundled Release:
Topic:
BugId's fixed with this patch: 1008324
Architectures for which this patch is available: sun3 sun3x sun4 sun4c
sun4-490_4.1_PSR_A
Patches which may conflict with this patch:
Obsoleted by: Next major release of SunOS
Problem Description: TIOCCONS can be used to re-direct console output/input
away from "console"
Patch contains kernel object modules for:
/sys/sun?/OBJ/cons.o
/sys/sun?/OBJ/zs_async.o
/sys/sun?/OBJ/mcp_async.o
/sys/sun?/OBJ/mti.o
Where sun? is one of sun4, sun4c, sun3, sun3x, sun4/490-4.1_PSR_A
NOTE: The sun4c does not use mti.o nor mcp_async.o since this architecture
does not have VME slots and therefore cannot use the ALM-2 Asynchronous Line
Multiplexed or Systech MTI-800/1600. So those modules are not needed.
The fix consists of adding permission checking to setcons, the routine
that does the work of console redirection, and changing its callers to
supply additional information required for the check and to see whether
or not the check succeeded. Setcons now uses uid and gid information
supplied to it as new arguments to perform a VOP_ACCESS call for VREAD
permission on the console. If the caller doesn't have permission to
read from the console, setcons rejects the redirection attempt.
INSTALL:
AS ROOT:
save aside the object modules from the FCS tapes as a precaution:
# mv /sys/sun?/OBJ/cons.o /sys/sun?/OBJ/cons.o.orig
# mv /sys/sun?/OBJ/tty_pty.o /sys/sun?/OBJ/tty_pty.o.orig
# mv /sys/sun?/OBJ/zs_async.o /sys/sun?/OBJ/zs_async.o.orig
# mv /sys/sun?/OBJ/mcp_async.o /sys/sun?/OBJ/mcp_async.o.orig
# mv /sys/sun?/OBJ/mti.o /sys/sun?/OBJ/mti.o.orig
copy the new ".o" files to the OBJ directory:
# cp sun?/*.o /sys/sun?/OBJ/
build and install a new kernel:
rerun /etc/config and do a "make" for the new kernel
Please refer to the System and Network Administration Manual for details
on how to configure and install a custom kernel.
- -------------------------------------------------------------------------
Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Internet E-mail: cert@cert.org
Telephone: 412-268-7090 24-hour hotline:
CERT personnel answer 7:30a.m.-6:00p.m. EST, on call for
emergencies during other hours.
Past advisories and other information are available for anonymous ftp
from cert.org (192.88.209.5).
- -------------------------------------------------------------------------
Copyright 1990 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.
CERT is registered in the U.S. Patent and Trademark Office.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
September 17, 1997 Attached Copyright Statement
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNDo6knVP+x0t4w7BAQEU4QP/Vw4+eWMLiKzIbdTpSzhDd8k6B0gKC0q+
M2iR3k7tNcArwCBpYKVTn3mpjUF14ehQzn54Px2bRVLSEmdcoFzG9KNnmQJHE9tu
DP7c5+CMHojCXgnlkWj7u6lTLiBKGoQaH9HBtTDrhVdbqgNFFjF9YX91313d3XQl
3Inih9vZcVA=
=TDNe
-----END PGP SIGNATURE-----